Follow-up:
I downloaded openssl-0.9.8y and 0.9.8za and looked at all the changes and in
ssl/s3_enc.c and ssl/t1_enc.c, the following lines were added in 0.9.8za to the
"int ssl3_alert_code(int code)" and "int tls1_alert_code(int code)" functions
to handle SSL_AD_UNRECOGNIZED_NAME
I just confirmed that the change to ssl/t1_enc.c from 0.9.8y to 0.9.8za
triggered this. I commented out the line marked below in both files and it
resolves my problem.
int tls1_alert_code(int code)
{
switch (code)
{
[...snip...]
case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */
///////////// These lines were added in 0.9.8za:
case SSL_AD_UNSUPPORTED_EXTENSION:
return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_CERTIFICATE_UNOBTAINABLE:
return(SSL3_AD_HANDSHAKE_FAILURE);
///////////// Commenting out this next line resolves my problem (causes this
function to return -1 instead of SSL3_AD_HANDSHAKE_FAILURE)
case SSL_AD_UNRECOGNIZED_NAME:
return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
return(SSL3_AD_HANDSHAKE_FAILURE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
return(SSL3_AD_HANDSHAKE_FAILURE);
case
SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
/////////////
default: return(-1);
}
}
[...snip...]
In my case, the clients were connecting with TLSv1, so the s3_enc.c were
irrelevant for my particular test case. However, for clients that are
connecting with SSLv3, I would expect the same problem to occur.
Best Regards,
Steve Bush
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
